Dealing with PayPal's messy SPF records

[Paul McNett]

I administer email for a few clients of mine, using Postfix. One of the 
policies that is in place is SPF-checking, and rejecting messages 
accordingly. This has been working well for months.

However, today a user called me to complain that they weren't able to 
get confirmed with PayPal to set up a new account. Turns out, SPF was 
rejecting the email from PayPal because of "Too many DNS lookups". This 
was somewhat surprising as I had been expecting the problem to be with 
my greylisting setup.

I took a look at PayPal's SPF structure and it is indeed a big mess - 
lots of includes, and those includes have lots of hosts and mx records, 
etc.

I helped the user by temporarily disabling all SPF checking and then 
reenabling it after the user got confirmed, but I was wondering if there 
is an elegant way to tell postfix to "ignore the going over MAX_LOOKUPS" 
for ("paypal.com",). I guess this would involve modifying policyd-spf.py?

I took a look at the source spf.py, and see where these values are 
hardcoded, complete with references to the RFC, and I don't want to 
modify those hardcoded values. I also don't want to disable SPF as the 
final layer of policy checking on my mail server. But, I have to 
recognize that companies like PayPal are big players, and I'm probably 
not going to get them to budge by complaining, so I should try to 
accommodate their messy setups as much as possible, as my users are 
nearly always right.

Anyone been down this road before and can offer tips/advice? I did 
google for relevant strings, but didn't come up with anything that 
appeared to address this specific problem.


-- 
pkm ~ http://paulmcnett.com